Re: It's not possible to allow non-OPIE logins only from trusted

看板FB_security作者時間14年前 (2011/03/10 15:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串2/26 (看更多)
On Wed, 9 Mar 2011 09:51, mbox@ wrote: > > I think the way pam_opieaccess behaves is like "leave a security breach > by default". I think it would be more usefull if it returned PAM_SUCCESS > when: > > 1. The user does not have OPIE enabled and the remote host is listed as > a trusted host in /etc/opieaccess. > 2. The user has OPIE enabled and the remote host is listed as a trusted > host in /etc/opieaccess, and the user does not have a file > named .opiealways in his home directory. > > Or at least this should be an option for pam_opieaccess. > Does changing the following in /etc/pam.d/sshd help ? # auth (edited for length) -auth sufficient pam_opie.so no_warn no_fake_prompts +auth binding pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local There might be some other combinations that would change this behavior for you but you will have to consult with pam.conf(5) as this is a pretty big beast to sum up here. Tweaking PAM in some situations could lead you to undesired results. Putting something into place of a script that runs out of /etc/profile or /etc/shrc or whatever that greps the contents of /etc/opiekeys and prompts the user to run the correct commands or runs them the first time might just be a better long-term solution to enforcing they use OPIE. /etc/profile grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c .... Anyway I'm sure some other shell-masters@ will chime in at some point and possibly share what they have done in the past/present/future and offer up some real good insight on this. VPN access to the box(s) could be another solution where everyone is local and you don't need OPIE at all. \o/ -- Regards, J. Hellenthal (0x89D8547E) JJH48-ARIN _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 jhell. 的文章
文章代碼(AID): #1DU7voYv (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 2 之 26 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共26篇)
更多 jhell. 的文章
文章代碼(AID): #1DU7voYv (FB_security)